How to Easily Auto Update WordPress, Themes, and Plugins

Wouldn’t you agree that one of the greatest annoyances about working in WordPress is that little nag at the top of the admin dashboard that screams, “Update me!”?

I mean, it’s not like you aren’t aware that there are updates that need to be processed. It’s just that it would be nice if WordPress would automatically take care of them for you. They need to be addressed–and they’re going to be addressed eventually–so why not get off our backs and just do it for us already?

Here’s the thing: WordPress updates can get complicated. I’m not talking about the process by which you make them–that really only requires the click of a button. I’m referring more to the circumstances surrounding that update.

So, let’s take a look at why WordPress developers have been so reluctant to implement auto-updates across the board and what you can do as a workaround for it.

Why Hasn’t WordPress Added Auto-Update to Core?

It’s not like WordPress hasn’t made strides towards streamlining the update process for its users.

WordPress 4.7

In 2008, with the release of version 2.7 “Coltrane”, WordPress made the bold announcement that:

“[T]his may be the last time you ever have to manually upgrade WordPress again.”

At the time, that was huge news, but it didn’t mean what those of us nearly ten years later would understand it to mean. What WordPress had done was add an update notification system that informed users of when an update was ready. They then just had to log in and allow for WordPress to process the update.

WordPress 3.7

In 2013, and with the release of version 3.7 “Basie”, WordPress finally added auto-updates for minor releases. For example:

Under special circumstances, they would also automatically issue patches to plugins or themes that required immediate attention.

Outside of these two initiatives, however, WordPress hasn’t been of much help in cutting down on the work required to keep a website’s core, plugins, and themes up-to-date. While it’s easy to gripe about how “easy” this should be, the WordPress team likely has a number of good reasons for keeping this functionality out of the system:

1. WordPress API Security

The WordPress API presents a major security risk if it’s not carefully monitored. Wordfence actually stumbled upon a serious problem within it about a year back.

They luckily were able to notify WordPress right away and WordPress, in turn, repaired the vulnerability. However, if hackers had discovered it first and the core were auto-updated on all users’ sites, that could’ve resulted in some major problems. Problems for developers who needed to clean up their infected sites. And problems for WordPress after inevitably facing backlash for even allowing it to happen.

2. Backups

In an ideal world, you would back up your website right before making any updates to WordPress–the core, plugins, or themes. By allowing WordPress to initiate auto-updates, however, the most they would be able to do is send you a notification directly before an update comes through. Since WordPress wouldn’t have control over whatever backup plugin [link to Backup Plugin Pros and Cons article] or process you use, they’d have to rely on you to generate a backup before any update happened.

3. Post-Update Monitoring

There’s also what happens to your website after an update goes through. If you’re being smart about backing up your site beforehand, then you should be reviewing your site afterward to ensure that nothing is amiss.

This isn’t just about security either. It’s about compatibility. What if a new version of a plugin conflicts with a new version of the core? You won’t know unless you stay mindful of updates. Automating them would remove your ability to take swift action.

4. Plugin and Theme Concerns

If WordPress takes steps to auto-update the core, then you know users are going to clamor for auto-updates to plugins and themes as well. While the security team can force updates to plugins and themes that need immediate patches, the responsibility of updating those third-party tools lies with the developer.

Plus, there’s always the possibility that those auto-updates will “break” a site. WordPress can’t and shouldn’t be liable for automating those updates in that case.

5. User Pushback

For every vote for “yea” on the auto-update question, you’ll probably find a “nay” vote too. For some people, auto-updates just aren’t wanted. That’s why some people actually turn off auto-updates or core update notification emails altogether.

For some developers, this makes sense, especially if they have a highly customized theme and didn’t create a child theme. Or if they use a lot of plugins and have to inevitably deal with the onslaught of updates for them. Then there are some who are just really uncomfortable with the idea of allowing WordPress to automate any updates.

With what seems to be just as much pushback against auto-updates as there is support for them, this puts WordPress in a difficult spot.

Why WordPress Updates Are Critical for Security

Okay, so I’d like to show you something.

Under the “Advanced” stats for each plugin in the WordPress repository, you’ll find information regarding which version of the plugin its users are on.

There is a reason why this note exists before anyone tries to revert back to an older version of a plugin:

It’s because plugins and themes are not known for being inherently secure. The WordPress security team can vet these tools as they come in, but it’s never going to be a 100% foolproof strategy. In fact, Wordfence reports that 55.9% of website infections are caused by plugin vulnerabilities.

This is why all WordPress users should be super diligent about keeping everything–the core, plugins, and themes–up to date. There should be barely any lag time between when the latest issue was released and when you implement it on your site. It doesn’t take much work at all, just a simple click of a button, to initiate the update.

But it’s not just up to you to keep a site up to date. What happens when you hand a completed project to a client and that’s the end of your relationship? You can’t reasonably expect them to monitor their site for updates every day and to make each of them on the spot.

This is why there are hosting companies like SiteGround and BlueHost that enforce core auto-updates.

This is also why there are plugins that will automate core, theme, and plugin updates for users.

Basically, there are plenty of folks out there who want to encourage smart update practices, whether that’s through doing the work themselves or by automating the process. Because, let’s face it, a hacked website opens the door to problems for everyone: website visitors, customers of your company, and even other websites that share space on a server or that exist within a Multisite network.

The Solution: Auto Updates with Automate

Perhaps the real issue here isn’t the fact that WordPress hasn’t enabled a universal system for auto-updates. After all, there are clear reasons why auto-updates could cause more trouble than they’re worth. Maybe the real issue is the way in which these updates are delivered.

Think about it: you log into WordPress, you have your perfectly minimal WordPress dashboard, and then you see it. That red marker telling you there’s an update waiting. Or you see a note at the top of the page that says there’s a new version of WordPress ready for updating.

How annoying!

And you know what happens when people in the digital age find something annoying? They start to develop notification blindness. It’s like those update notifications are just a nuisance begging to be X’ed out or ignored.

Plus, think about it from your clients’ standpoint. They log into WordPress, excited about writing a new blog post today. But then they see some weird red flag that they don’t understand and are completely intimidated by. It’s like seeing a flashing warning on your car’s dashboard. You determine whether it needs immediate action or if it can maybe wait. Clients as well as other users are going to process these the same way (which isn’t good).

But you need to make these updates. That’s why a WordPress plugin that automates the process in a smart and informed way–but still gives you options on what you want to automatically update–is crucial. Soooo…

With this auto-update tool (that comes with each WPMU DEV membership), you’ll never have to worry about auto-updates again. You’ll have full control over what parts of your site get auto-updated, you can schedule backups ahead of time, and, oh yeah, the interface is much friendlier than those horrid notifications within WordPress.

Brenda Barron is a freelance writer from Southern California. She specializes in WordPress, tech, business and founded WP Theme Roundups. When not writing all the things, she's spending time with her family.

Get fresh WP updates directly to your inbox.

6 Responses

What a timely article! Just yesterday we had a customer’s WordPress site go askew after an automatic update. While the error that was generated caused some uncomfortable moments, it is well worth it. We acquired this customer because of a security issue they were experiencing, after their previous web development company did not apply WordPress or Plugin updates for some time and their website was hacked. Since we were able to clean their website and implement security and update solutions, they have not experienced a security issue in the time we have been servicing their website.

This is attributed to keeping WordPress and plugins up to date. If not you are risking your customers data. There will always be developers that do not like auto-updates, however it is far better for your business to not create security holes for your customers.

I wonder if Automate is still “only” supporting Snapshot prior to running updates? I’d like to stick with Updraft instead of Snapshot and noticed that Updraft will not be fired prior to any update performed by Automate.

So I’ve asked Updraft-Support about this issue and they have replied:

“The UpdraftPlus automatic updates are triggered by a hook in the standard WordPress update mechanism (such as ‘admin_action_upgrade-plugin’)”

So pls, dear WPMUDEVs, enable Automate to play nicer with external Backup-Solutions like Updraft soon :D

Automate is great but WPMU needs to get it beyond GoDaddy’s Pro Sites manager from WP Manager. The most value added feature would be white-label client reporting with integrations from Hummingbird (performance), Defender (security), and Google Analytics for site analytics.